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The Computer and Security 

■ ■ 1 ! ‘ii I: 

In the world of business competition there has always been a problem of pro-: ; 

■ i I ; i 

tooting proprietary information, from a sooret recipe for barbecue sauce to the 

' . , . | I Vi I 

most sophisticated design information for a supersonic aircraft, Therojare now 

| ! 1 l 

over 60,000 computers installed in the United States being used in various biisi- 

! 

ness and governmental applications (1 ) . Most of those have been manufactured jin 
the past twenty years. How has this relatively sudden adoption of computers changed 

j. 

uho security problem? For one- thing, it has resulted in a higher concentration 
of information in a single location. This might appear at first to improve secu- ' 

: j !i .• , 

rity for it is easier to provide physical security for tho limited space of a com- : 

* I i 1 [ : 

puter facility than for acres of file cabinets. However there are other aspects " ?! 

to this development which deoreaso’ security. The Information in the computer sys- : : 

tern is more organized as well as ( moro< concentrated, and therefore is more Vulnor- ; : 

' • •* ; 1 I ; ! f 

abu .0 to unauthorized access, Hard copy files can only be lost by theft; or phys- 
ical destruction such as fire. Computer files can be magnetically erased, acciaen- 
tally or intentionally. This can be caused by a hardware malfunction, software 
error or improper operating procedure. Systems with remote terminals or that can 

be accessed through common carriers are always subject to use by unauthorized per- 

j ■ l; ! 

sons unless proper security measures are taken, i 

• ■ |i 

I 

From tho evidence available it appears that the introduction of the comnutor 

' i * 

has complicated the security problem, The situation is worsened by tho ifact that 

I i' 

only recently has. there been a 'widespread interest in the problem. . All, the answers 
n ° U Approved ]£or Release I 0^* - Arr ‘° rican 
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» 

Society for Industrial Security of a task force effort to dovolop a handbook for 

' ' i 

security problems, but this product is not yet published(2:18) , .! 

There are several different definitions of security as well as different i, 

: kinds of security. For the most part, in this paper, the kind of security talked 

about is data security. Data security protects against accidental or unauthorised^ 

• ' ; ; i-. 

loss, modification, use, or disclosure of data(2s26). It makes little difference , 

| • ' ' ' ‘ ii 

in the end result whether data destroyed or modified was done accidentally or i 
j . . | 

intentionally if such action was unwanted. Some definitions confine security 

i 'i _ I 

!| to the protection of classified defonse information and apply privacy to commer- 
: l ( ■' 

cial or industrial sensitive information(3; 38) . This appears to be an unnecessary 

■ complication since industry is involved with defense information and data security 

i 

as defined above can provide protection to both kinds of data. Further, making 

\\ , 

; such a restrictive definition of privacy causes confusion with the issue of per- 
sonal privacy which has boon much in the nfews of la to as a result of the expand- 
ing use of the computer by credit bureaus and government agencies (4) , 

In this paper security measures will be examined in three areas: (1) in 
the computer, (2) in the computer facility, and (3) external to the computer fa- 
1 i cility. The security measures to be taken in these three areas are interrelated. 
There are generally four requirements for good security: identification, author- 
isation, audit, and system integrity(2»28) . These requirements will be discussed 
as they pertain to each of the three areas. Since security is generally a more 
difficult problem in multi-programming or time-sharing use than in batch ,proca 
ing, only the former will be considered, Many of the measures are equally appli- 
cable to the latter method of operating a computer system. 


Within the computer, both hardware and software features can be used to 
satisfy the identification requirement. It is usually necessary to know who is 
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is within tho company and is connected to the computer with special single use 

. ' ' * i ! ; 

i ! I , ■ 

lines, the identification of the terminal can be accomplished through hardware <; ; 
features, IBM has developed a system for unique identification of any ! remote ter-. ’ 

• i, ! 

minal through characters generated only by electronic circuitry(2:28). j Identi- i > ' | j 

fying tho operator of the terminal is a more difficult matter. Many systems usd j ' 

i :l< ;ii 

• , j j'' ;l. . i 

passwords but they provide little security. Other systems use what is known as lit 1 
extended handshaking, i,e, putting questions in the computer only the’ particular; 1 ! !' 

• ! i ! i i . m 

usor knows how to correctly, answer. The main’ objection to this method is the co'st.' 

: | j j . V 

in time and memory space, A proposed method not yet perfected is fingerprint : : 

* ! 1 !'■ -i , 

1 ' ■ i, : ! 

readers or voice print recognition. Perhaps the system with the most promisb is ! ;l i : 

' ' ' ! | j - i , 

a card the size of a credit card with a magnetic stripe containing identification \ij 

characters. The card can be lost but the finder would have to know what the owner 

I. ; 

of the card was authorized to do to make use of the card, ' \ !' ■! 

The authorization function is usually' handled within the computer by soft- ' ‘ 

ware ^oatures. 'The monitor is tho key to a secure system, It must control all 
input/output without exception. It acts as the overall guard of the system, op- 
erating under a set of rules by which it judges all requested actions (5). An 
example of the various levels of authorization is shown in TIW's Generalize 'In- ‘S 

I i 

• j . 1= I : 

formation Management System, In this system there are three levels of da ^ at 
which oocurity can bo imposed; system, data list, and attribute^; 21) . The mon- 
itor imposes security codes as required at each of these levels for two reasons ;i 
■functional' protection and data sensitivity. While a, particular group of indivi- l! ■ 
duals may require access to certain files, it is usually not desirable jto. permit 
all of them to update the data, " Those authorized to update data have a special 
code, *n the same way, there is certain data such as employee salary and future 
produce design, which is limited to particular individuals by the same kind of code 
system. Approved For Release 2004/02/10 : CIA-RDP79M00096A0001 00070008-1 I* ij 
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The computer is well- adapted to satisfying 'tho third security requirement, i; 
audit. It can maintain a continuing log of what went on, e.g. who accessed what ‘ 

' i .j:' 

sound an alarm whon something not allowed is happening(2: 30 ) . The 

log is the ultimate defense against penetration as it provides the feedback; noc- j'i 

. j ! j; 

essary to strike the right balance between desired level of confidence and the; 

: M I f 

restrictions .:i 


impairment of production of tho system due to interference of security 

i- 1 ■ ; - 

Tho fourth requirement is system integrity, What is tho probability that 

■■ ■ ! ! ; 

the computer will malfunction or make an error? Stated another way, YJhatj is the 

■ j : . 1 

predictability of tho system doing what you want it to do? There are several j 

4 

ways to obtain quality assurance, depending on what confidence level is desired 

, j j 

and what cost is acceptable, For example, the control unit accesses one of the 
devices attached to the computer,' VThat is tho probability that this is the right : 

* I 

device? 1:1 that probability does not give tho required confidence level, it can 

‘ •' • . i | 

be improved by programming another check 'in series with tho device selection, i! J 1 ' 

I ' ' : ,|! 1 

*■ . ; 4 .1 

■The system can provide for identification of tho data contained on the device, i 

In' this case tho overall probability of having the system operate on wrong data 

as though it wore the correct data is the product of the probabilities of tho two 

■ I 

individual errors.- This results in a very low probability and a high confidence 

I 1 

level, Another way to improve integrity is to thoroughly test and debug the pro- 
gram, Perhaps no program can bo completely error free but with proper testing 
it can be nearly so, Tho coding in tho monitor program . which receives interrupts 
is one portion that must be error free. The confidence level can be improved bp 

prov ./.u . tost programs in the monitor which routinely "attack” tho system and try 

• | : 

to break through the security barriers (7s 3) . Debugging or program testing presents 

mal problems, An error in a program should not be able to destroy some; other 
pro • * m or core 'memory nor should an error result in tho same procedures as bis 

employed on am|£fafovi^#^ktfi|fck«©l2l0Oi»oa/la^ 


! 'll ■ 
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of tho offending program, Th security rules cannot bo suspended for a debugging, 
operation, Tho usual approacn is to flag that a debugging operation is in progress, 

• ' - 4 I ■ 

Thon, if a violation occurs, it is logged and tho program is dumped to I the user: 

A ' ■ j ■ i I* ■: : 

wiuh oho reason. This avoids sounding a major security alarm for an error during 
a debugging operation. 1 * i 


I',- \ 


H' " i 

i! ;|l 


— — What would seem to bo the most obvious security precaution in the computer' $ < 
, , . ' ' f! : j I'pi 
fcs.cilo.oy xs to Keep unauthorised personnel out of tho facility, However, many j: ;ii ■ ; 


. ! f i, • 


companies maintain their computer facilities as show places and give | relatively 

- - ■ ! ! i ' 

lioolo supervision to visitors. Those companies have given no thought to' the 

* ' | ' |i, 'i ' 

serious ow-mago ohao could result from such a policy. For example , ono person with 1 
“■ mcegnoo in hxs pocket could cause havoc in the tape library. Letting in only i. ■ 

• V «. 

those with business in the computer 'facility satisfies tho identification require- 
ment, ■ •, . .;■! 

In tho same way that individuals ate identified, each should bo authorized!- : 
oO ao only certain things. Certainly tho number of operating personnel who are , 

I 

authorized to make changes to programs or internally, stored data should bo strictly 1 
limited, ^ iho reasons for this aro obvious when the serious consequences of even 1 .. 

a minor change are considered. In a case at Cape Kennedy, a computer symbol equi- 

*! ! 

valent to a comma was omitted from a program causing a missile to veer 'so f o - o*" 

i . 

course iu had to be destroyed (8; 124) , The personnel in a computer facility should 
comply with the operating procedures provided. From, this it follows that there 

> j S 

should bo complete,' current, and understandable instructions for all machine. 0 p- 
e rations. One final item under the authorization requirement is designation of 
which individuals should have access to what type of, classified or sensitive; in- 1 -; 
-.urmn w -.on, *nis requires that information of that type such 'as data relating to 

customer credit, shareholders, and payroll, must bo catogorizod by security lev-ls, 

.Approved For. Release 2004/02/10 : CIA-RDP79M00096A0001 00070008-1- 1 
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In the same way that a log is required within the machine to provide an au- 
dit trail, a log is required within the facility showing operator interventions, 
machine halts and other_occuronces_ indicating unusual conditions as woll as machine 
performance in general, maintenance periods and compliance with operating schedules, 
The library is another area of great importance to the audit requirement. In 
addition to establishing controls over the use of library tapes, complete records 
of such uso should _ be maint ained. Procedures for maintaining libraries should ' % 
include the requirement for bad cup tapes of current operating programs on data ^ 
files, Such tapes can bo invaluable in restoring lost or damaged data in case . 

■ 4 

of a casualty or disaster to the computer itself, 

V/hlle many companies are concerned about fraud through use of computers, 
a much greater danger is presented by inadvertent error. In the present state 
of the art of AD? the system integrity is highly dependent on human frailty. 

Humans make errors and' every possible way must be taken to reduce such error to 
tee lowest possible level, One way is to establish a quality control unit Vo sam- 
plo tho accuracy of data both before and after computer processing. This unit's 
’functio.. should bo to spot data that are obviously unrealistic and permit correc- 
tions before major trouble develops (3; 123) , The problem of selection, training, 
and measuring tho performance of computer personnel must be given continuing atten- 
tion. joh n Diebold contends that there is a general lack of standards in chose 
areas and that computer personnel are becoming the major cost of AD? in the United 
States (9:16). This argues for much more attention to this important area. One 
fairly obvious measure that parallels keeping records of machine performance is 
the recording of personnel performance as a part of tho records of the computer 

-’.i-Lioy. This gives management a measure of how. well each employee is doing as 
« * 
well as a means of spotting trouble areas and tho noed for extra training. Sys- 

. ,ApDrpyecLFor.Release 3 20Q4/ J Q2/10 : CIA-RDP79M00096A0001 00070008-1 * 
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! ' ! -i 

I . i i' 

; 'I 

major disasters. An obvious measure is protoction against fire. In a recent; 'i 

i : ij 

instance, a light plane crashed into tho building housing Applied Data Research, j:| 

, ' ’ j i jl lj ' . 

~Inc“" destroying tho card filos and some tapes, However, bocause tho company ; had u 1 

‘ ! ?A\.\ 

made a practice of storing all major source programs on Librarian tapes, thoy ;wcre !! ; 

. . . i Jj ii 1 

able to rocover from the disastor within a weok(10il?4) . Duplicate or back up 


tapes of programs that are to be maintained should bo stored in a location 


! i : -I 
. !: ii' 


rorjioto !| ii 1 ; ! 


| I j i ;>• I 

enough that they would not be likely to be lost in a disaster destroying tho com- Ii ; ii ! | 

* : ! : : ! :Mv; 

puter. Recovery from orror is an important consideration. Data filosi that arc J 

ill : 

!' i i 1 

••maintained in coro memory and are updated continuously must be dumped onto tape j! ; 

4 I p !;! ! 

at frecuont intervals if it is important to be able to rocovor quickly from an 1? • ! 

1 . ! ' 'Hi, 

error or breakdown. However, this becomes quite expensive and a balance must i bo [' ' : 

: ; • ! ■ ' i 

determined considering the likelihood of tho need for recovery and tho relative 

: l •{! ' ■ • 

costs, fortunately, hardware is becoming increasingly reliable reducing the needi; ! 'b. 

j. ,* -i 

for recovery but such is not tho case with software. It appears that software 

* * * ’I * , J i ■ 

1 j .1 

failures will bo a problem for some time to 1 come ( 11 s 31 ). . . ' 

i 

Tho final area in which socurlty measures will be discussed is external to 

the computor facility. Tho problem of identification of remote terminals and 

• i ' •' i 

users has already been discussed in connection with security measures within the ! 

computer, Ono possible measure. not discussed was the fairly simple one of ; install- 
ing looks on -tho terminal,. A different one for each user can be provided if nec- 

I !'• : 

I I 

essary. the principal difficulty with this is .the case with which a lock can; be 


I 


■ ; r ;i 


overcom 


A principal consideration in connection with tho authorization function 'is i : 

ii * 

,1 to detormine tho nood for accoss to data by tho personnel in tho company^ Tho f- 

,i. . I • f. 

more levels of access required and the more capability provided, the greater is 

j ' : i ;| • 

■! the complexity of tho system required, - If a particular individual were to 'bo per- 
il _ . Approved For Release 2004/02/10 : CIA-RPB79M0009BA0001 00070008-1 ’ ij , 

■ mittod accoss to, all tho data on a .particular file or files and nono other ; jtho 
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problem of • stating his authorisation would bo a 'simple ono, • In practice such ! ;■ 

i 1 •< 

■ ; 

simplicity coldom occurs, .As files are combined to take full advantage of the , | 

! 1 , * f : i 

capability of' tho data processing system, tho authorization function becomes more | 

difficult and complex, Tho nood for accoss to data by personnel must bo converted j],j 

to a statomont of authorization, what person is to see what data elements jin’ what t 
I ■ ! i ;■ ; 

combinations and what values ( 2 : 30 ) .■ ; ! fU 

. i 

] : • ; ! 

The audit function is most important to improve computer security,! VMth 

tho introduction of computers there was a lag in applying proper audit procedures 

i i j 

to data processing operations because of the scarcity of auditors grounded in 

4 i 

computer system principles. This condition is changing, Tho auditor must be in- 
volved from the inception of development of new computer systems. He should not 
have responsibility to develop a control system but rather to evaluate independ- 

' : i ■ 

pntly tho procedures and facilities being designed to provide management an in- 

j; ,i ’’ • 

dependent control appraisal of future systems; The auditor should- make sure I that 

i- " 1 ; 

computer systems are auditable when they become operational, In. doing so he j should, 
use computer technology to the greatest degree possible. To some extent the au- 

• ' , i 

dit work can then be performed as a by-product of regular computer operations, 

• ■ _ f. i 

Among the .ochniquos which can be used by the auditor are; (1) use of a model 

representing the company to tost the 'accuracy of the system, (?.) comparison or 

i ; ■ 

matching of' two duplicate files, (j) sampling records on a, random basis, (4) ex- 

i 

../•acting s; cific records , from the file, and (5)' compilation of the result's of 
a particular mathematical computation as a chock on the accuracy of the application; 

I 1; : 1 

I !| i 

of tho for, ala in a computer run, . Any audit program should moot the requirements j 

of corwfi^d public accountants, the Internal Revenue Service and Department of ■ 

I j; 

auditors for companies involved in defense contracting (3; 129) . 

System integrity might appear at first glance to bo not dependent oh any- 


'I- ‘ 


sl; 
ill ! 


ill » 
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! ! jj i 

i-ity can be dogradod is by wiro tapping. This poses very dofinito problems 1 for! !l 

' ! ! IV ; 

tr.o wire tapper, If tho system is well designed, the wiro 'tapoer will bo unable i 

' i j i ;:r - 

to operate as an impostor terminal. Ho will only bo ablo to listen with the hope 

I 1 ! ]■ i ! 

tnat information of uso to him will como along, Ono way to avoid evonj this' loss : 

■ S 1 

of information to a wiretapper would bo to uso scramblers. However, this ppsosf ! 

fid.; 

many problems when used with common carriers and the cost is ivenorally too rreat ■ : 

w : \l ! . 

’ | * '! j ; i : 

to make it attractive,. Another threat 'to integrity is eavesdropping. It is polss- i 

.i.i~lo vJx oh relatively inexpensive equipment to eavesdrop on remote terminal devices',! 

F j ,|. j • j d h 

a t is -.mien more difficult to get anything worthwhile eavesdropping on a central - i;j' 

' ! ,1 

computer complex. If the cost of eavesdropping is plotted as a function! of; dis- fi ! : 

{ ■ j" 'h | 

tance, tho cost increases quite rapidly as distance increases. ' This suggests the : I 

| j . . 

answer to tho eavesdropping problem,' The tormina], devices should be designed so j 

they do not radiate beyond an area that can be controlled for tho particular apj^lil 

cation. Another item that comes under system integrity is insurance It is best i ; 

. ■ ' | - -;••! ;! ! 
to avoid tho loss but, if a disaster does 1 strike _ such as fire, flood or Vandalism^ 

i j. ij'f : 

it is important to have .enough insurance to cover the financial loss involved in ;• 

'f i- ;i 

recons „raoting the programs and data files that were': destroyed as well as the loss 
in revenue curing the time required for tho reconstruction. This is accessary 

' t • ; 

even though a vroll maintained library of back up files is maintained, A "final 


il V, 


ioc/r* Jho us w.aolislu'nont of an overall control philosophy. Com© companies ! have 
eliminated traditional controls to chock human calculations on introduction of : 
computer systems because "computers don't make mistakes," Such a course ! ! is, itself ' 
a mistake for computers are programmed and operated by humans. Assigning a itop" ,! ! 

i i ; ] 

level executive the ' responsibility to direct corporate computer ' efforts is perhaps 1 


most effective way to insure adoption of an up-to-date overall control philos- 


ophy. 
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In conclusion, two points should bo made, Tho first is that 1C01 security' 
is probably impossible. Good security doponds on many different 'measures taken . 

at different times and different places, Those could bo likened to tho layers of 

" j j 

an onion. One of thorn might be adequate to defeat a particular threat but all i 

.1 I ' ! , 

j I 

are necessary to provide a high level of confidence that all throats will be do-; 

! I 

i ' 

f eated. In any case, the level of security desired must bo measured against the' 

: I l 

cost of ootaining it. The second concluding polit is that good security depends 

' ! i ' 

on tho entire organization whether there is an ADP system or not. Certainly, when 

! i ; i 

cno company has adopted an AD? system, all employees connected with the £.!)?; system 

have a responsibility to ensure that data processing is ’ adequately controlled ! and 
}; ; • i 

protected. But even those parts of the organization not directly connected with 

the ADP system should bo included 'in the overall control philosophy. In tho final 

analysis, v,h& best security starts with top management and oictands to all personnel 


■S 


. > 
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